Key management and protection in secure execution environments
Abstract
Systems and techniques are described herein for information protection. For example, a process may include obtaining a security information asset at a randomizing engine; performing a first randomization of the security information asset to obtain a randomized security information asset; providing the randomized security information asset to a secure storage device; obtaining the randomized security information asset from the secure storage device; performing a second randomization of the security information asset to obtain an updated randomized security information asset; and providing the updated randomized security information asset to a security component, wherein the updated randomized security information asset is used to perform a security operation.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A method for information protection, the method comprising:
obtaining a security information asset at a randomizing engine;
performing a first randomization of the security information asset to obtain a randomized security information asset;
providing the randomized security information asset to a secure storage device;
obtaining the randomized security information asset from the secure storage device;
performing a second randomization of the security information asset to obtain an updated randomized security information asset, wherein the second randomization of the security information asset randomizes the randomized security information asset obtained from the secure storage device;
providing the updated randomized security information asset to a security component, wherein the updated randomized security information asset is used to perform a security operation; and
enforcing, at the secure storage device, a re-masking procedure for the randomized security information asset, wherein the re-masking procedure is initiated based on a determination that one or more bytes of the security information asset have a usage quantity that exceeds a usage discrepancy threshold relative to one or more other bytes of the security information asset.
2. The method of claim 1 , wherein the security information asset is a cryptographic key.
3. The method of claim 1 , wherein the security information asset is obtained in a masked form, and the method further comprises: performing a re-masking of the security information asset to obtain a re-masked security information asset, wherein the first randomization is performed using the re-masked security information asset.
4. The method of claim 1 , wherein the security information asset is obtained in an unmasked form, and the method further comprises performing a masking of the security information asset to obtain a masked security information asset, wherein the first randomization is performed using the masked security information asset.
5. The method of claim 1 , wherein the security information asset is obtained from a security information asset storage device.
6. The method of claim 1 , wherein the updated randomized security information asset is used to derive an additional security information asset for use in performing a security operation.
7. The method of claim 1 , wherein the updated randomized security information asset, prior to being provided to the security component, is augmented to include additional information associated with a processing history of the security information asset and a security policy specifying allowed operations and one or more entities authorized to interact with the security information asset.
8. The method of claim 1 , wherein the re-masking procedure is initiated further based on a determination that a usage threshold for the security information asset is exceeded.
9. The method of claim 1 , further comprising:
determining that the usage discrepancy threshold is exceeded for one or more bytes of the security information asset; and
canceling usage of the security information asset based on the determination.
10. The method of claim 1 , wherein the randomizing engine is included in a secure execution environment.
11. The method of claim 1 , wherein the security component is a cryptographic engine.
12. The method of claim 1 , wherein the security component is a key table.
13. The method of claim 1 , wherein the security component is a key derivation function.
14. An apparatus for information protection, the apparatus comprising:
at least one memory; and
at least one processor coupled to the at least one memory and configured to:
obtain a security information asset at a randomizing engine;
perform a first randomization of the security information asset to obtain a randomized security information asset;
provide the randomized security information asset to a secure storage device;
obtain the randomized security information asset from the secure storage device;
perform a second randomization of the security information asset to obtain an updated randomized security information asset, wherein the second randomization of the security information asset randomizes the randomized security information asset obtained from the secure storage device;
provide the updated randomized security information asset to a security component, wherein the updated randomized security information asset is used to perform a security operation; and
enforce, at the secure storage device, a re-masking procedure for the randomized security information asset, wherein the re-masking procedure is initiated based on a determination that one or more bytes of the security information asset have a usage quantity that exceeds a usage discrepancy threshold relative to one or more other bytes of the security information asset.
15. The apparatus of claim 14 , wherein the security information asset is a cryptographic key.
16. The apparatus of claim 14 , wherein the security information asset is obtained in a masked form, and the at least one processor is further configured to: perform a re-masking of the security information asset to obtain a re-masked security information asset, wherein the first randomization is performed using the re-masked security information asset.
17. The apparatus of claim 14 , wherein the security information asset is obtained in an unmasked form, and the at least one processor is further configured to: perform a masking of the security information asset to obtain a masked security information asset, wherein the first randomization is performed using the masked security information asset.
18. The apparatus of claim 14 , wherein the security information asset is obtained from a security information asset storage device.
19. The apparatus of claim 14 , wherein the updated randomized security information asset is used to derive an additional security information asset for use in performing a security operation.
20. The apparatus of claim 14 , wherein the updated randomized security information asset, prior to being provided to the security component, is augmented to include additional information associated with a processing history of the security information asset and a security policy specifying allowed operations and one or more entities authorized to interact with the security information asset.
21. The apparatus of claim 14 , wherein the re-masking procedure is initiated further based on a determination that a usage threshold for the security information asset is exceeded.
22. The apparatus of claim 14 , wherein the at least one processor is further configured to:
determine that the usage discrepancy threshold is exceeded for one or more bytes of the security information asset; and
cancel usage of the security information asset based on the determination.
23. The apparatus of claim 14 , wherein the randomizing engine is included in a secure execution environment.
24. The apparatus of claim 14 , wherein the security component is a cryptographic engine.
25. The apparatus of claim 14 , wherein the security component is a key table.
26. The apparatus of claim 14 , wherein the security component is a key derivation function.
27. The apparatus of claim 14 , wherein the apparatus comprises a wireless communication device.
28. A non-transitory computer-readable medium storing computer executable code, the computer executable code, when executed by at least one processor, causes the at least one processor to:
obtain a security information asset at a randomizing engine;
perform a first randomization of the security information asset to obtain a randomized security information asset;
provide the randomized security information asset to a secure storage device;
obtain the randomized security information asset from the secure storage device;
perform a second randomization of the security information asset to obtain an updated randomized security information asset, wherein the second randomization of the security information asset randomizes the randomized security information asset obtained from the secure storage device;
provide the updated randomized security information asset to a security component, wherein the updated randomized security information asset is used to perform a security operation; and
enforce, at the secure storage device, a re-masking procedure for the randomized security information asset, wherein the re-masking procedure is initiated based on a determination that one or more bytes of the security information asset have a usage quantity that exceeds a usage discrepancy threshold relative to one or more other bytes of the security information asset.
29. The non-transitory computer-readable medium of claim 28 , wherein the security information asset is obtained in a masked form, and the computer executable code further causes the at least one processor to: perform a re-masking of the security information asset to obtain a re-masked security information asset, wherein the first randomization is performed using the re-masked security information asset.
30. The non-transitory computer-readable medium of claim 28 , wherein the security information asset is obtained in an unmasked form, and the computer executable code further causes the at least one processor to: perform a masking of the security information asset to obtain a masked security information asset, wherein the first randomization is performed using the masked security information asset.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.